On Mon, 26 Apr 2021 17:29:26 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This change will restrict JARs signed with SHA-1 algorithms and treat them as > if they were unsigned. This applies to the algorithms used to digest, sign, > and optionally timestamp the JAR. It also applies to the signature and digest > algorithms of the certificates in the certificate chain of the code signer > and the Timestamp Authority, and any CRLs or OCSP responses that are used to > verify if those certificates have been revoked. > > In order to reduce the compatibility risk for applications that have been > previously timestamped or use private CAs, there are two exceptions to this > policy: > > - Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, > 2019 will not be restricted. > - Any JAR signed with a SHA-1 certificate that does not chain back to a Root > CA included by default in the JDK `cacerts` keystore will not be restricted. > > These exceptions may be removed in a future JDK release. > > All tests are in the closed repo for now. > > CSR: https://bugs.openjdk.java.net/browse/JDK-8264362 This pull request has now been integrated. Changeset: 27805775 Author: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.java.net/jdk/commit/278057756a1a79a4b030750c48b821ba9735a0f9 Stats: 3 lines in 1 file changed: 1 ins; 0 del; 2 mod 8196415: Disable SHA-1 Signed JARs Reviewed-by: coffeys ------------- PR: https://git.openjdk.java.net/jdk/pull/3700
